Security bulletin on personal use of social media

Stephen Vallis, MARLANT Security Officer — Social Media is widely popular with Canadians and people worldwide, including Department of National Defence (DND) and Canadian Armed Forces (CAF) members and employees. It is a powerful communications tool but is not without risk. Within generally well-understood limits, DND/CAF members and employees are entitled to use social media freely. This bulletin will discuss some of those risks and limitations.

Social media blurs the boundary between private and public communication. Communicating on social media seems like a quiet conversation between friends, but it is more like shouting across a crowded room where many others will overhear.

Your audience may include:

• family, friends, co-workers, managers or supervisors;
• members of the public not affiliated with the DND or the CAF, news media, potential employers; and
• criminals, terrorists, and HIS (Hostile Intelligence Services).

There is strong potential for others to aggregate data by following a person or group over several social media platforms. This is an established practice for criminal enterprise, economic espionage, HIS intelligence gathering, hacking, and private sector organizations for marketing and hiring purposes.

Operations Security (OPSEC) focuses on the protection of open-source material or observable activities. Some unclassified DND/CAF information is still vital for the security of DND/CAF operations and must be protected appropriately; this is OPSEC. Any unclassified information must only be shared with undergoing routine release procedures. This includes photographs.

Essential Elements of Friendly Information (EEFI) is a significant component of OPSEC and comprises information which could be aggregated together in a way that would compromise OPSEC. EEFI must not be shared on social media.

Some examples include:

• readiness status of units or critical personnel, equipment;
• maintenance shortfalls and issues; and
• supply routes or schedules for resupply operations and locations of essential stocks or resources.

Once information is shared on social media, it is removed from DND/CAF control. Social media platforms sometimes take ownership of the data they host. Information shared on social media may compromise the privacy or security of other individuals.

Some relevant “Do’s and Don’ts”:

• DO NOT share information that may put others at risk, is sensitive, or may cause people to assume you are an authorized spokesperson;
• DO seek approval before releasing information gained as a result of your employment unless it’s already been officially released, AND you can identify the source;
• DO NOT share EEFI unless authorized to do so;
• DO seek authority to share information if you have any doubts.

Social media presents a considerable security risk since it has become a ubiquitous part of our culture. By applying control measures, that risk is reduced. Take a moment before you click ‘share’ to consider if you should.

SECURITY BULLETIN: Security Never Takes a Break – Vigilance!

Brigadier-General Denis Boucher, Director General Defence Security and Chief Security Officer

— 

As Director General Defence Security (DGDS) and Chief Security Officer (CSO), I have the pleasure of hosting Security Awareness Week (SAW), being held virtually from Feb. 6-10.

The week will promote sound security practises within the Department of National Defence (DND) and the Canadian Armed Forces (CAF) as part of the overall Government of Canada’s SAW effort while working remotely and on CAF operations. The DND/CAF SAW theme this year is “Do Your Part – Be Security Smart”.

Whether working from home or the office, we must remember always to stay VIGILANT. With the release of the DM/CDS Initiating Directive on Transitioning to a Hybrid Workforce to Support Full Business Resumption, and as DND is now formalizing these new ways of working, we understand the continuation of hybrid work will create new challenges in terms of security. It’s an excellent opportunity to rebuild a more robust security culture between DND/CAF employees and our security teams.

The SAW objective for the Department is to encourage ongoing security efforts to strengthen our security culture. This means energizing employees and members to integrate security into their daily activities. Ensuring proper security measures are in place, understood and followed are essential aspects of the work we accomplish individually and collectively for the Department. The impact is significant – it keeps our soldiers, sailors, and aviators safe on operations at home and abroad.

DGDS will engage employees and members at all levels leading up to, during and post-SAW. We will use our virtual security campaign and various communication products to reach members of the Defence Team in the NCR and also on Bases, Wings and Defence Establishments across the country.

To help make this SAW a success, DND/CAF leaders, Information System Security Officers (ISSO), Unit Security Supervisors (USS), security practitioners, and personnel assigned security functions who wish to promote security in their workplace may obtain products and information from the DGDS intranet toolkit. Also, the Regional Departmental Security Officers (RDSO) remain available to advise your leadership and to facilitate a link to the subject matter experts as necessary.

Every member of DND/CAF plays an essential role in keeping the Defence Team secure through VIGILANCE!

“Do Your Part-Be Security Smart”

Director General Defence Security

Some things we can do every day to uphold defence security:

• Store your protected and classified documents appropriately;
• Use your DWAN computer exclusively for work;
• Lock your computer no matter how long you plan to step away from your office;
• Do not plug anything not authorized into your DND/DWAN computer;
• Avoid clicking on links or opening any attachments that seem suspicious;
• Keep your DND/CAF issued IT devices safe by not traveling with them unless authorized; and
• If you have any security related questions about proper security procedures reach out to your Information Systems Security Officer (ISSO) or your Unit Security Supervisor (USS).